Saturday, April 21, 2012

With the increase in MBR infectors, I've decided to release a script I wrote that parses the MBR as well as hashes and disassembles the bootcode. I've found that MBR bootcode is pretty stable across systems of the same OS, so this script should allow you to quickly check for any discrepancies on a system.

@Cdtdelta: The output looks the same :-P I can provide clean and infected mbrs if that would help, but you could just easily take one from a clean VM and then infect the VM with a sample from offensive computing (like Mebromi) and see for yourself. I'm really leaving the analysis to the user.

@vl give me a bit and I'll figure out what the problem is. Someone else reported that they had a problem running the script on windows and I had forgotten to test on different windows systems. I'll post an update when I figure out what the issue is.

Thanks for sharing this little gem. Regarding the problem with running it on windows systems the original script always fail (in my tests) with the message "MBR file too small". The problem was that Windows makes a distinction between text and binary files and the solution is to change the line 216:Before: file = open(a,'r')After: file = open(a,'rb')Now it works perfect.Many thanks Gleeda.